Top Ten 2008 Threats

The top ten (twenty, twenty-five…) season doesn’t seem to have finished yet: the latest to cross my radar was something like seven ways of surviving the recession, which I’m sure is of interest to all of us, but not really in scope for this blog.

So here’s a snippet from our 2008 Global Threat Report, which is about to come out, and from which I’ve previously included some tasters here.

Our in-the-cloud threat-tracking system ThreatSense.Net® gives us a way of tracking detections of known threats over months or years (you may have noticed that I referred to it in a previous blog about Conficker/Downadup), so we looked at the top twenty threat detections reported between January and December 2008.

(See table 1 below)

As you’ll have noticed, there are quite a few very similar detections there such as INF/Autorun, INF/Autorun.gen, and Win32/Autorun.KS, or all the Online Games Password stealers, so we consolidated some of them into a single detection category, as we do for our monthly reports, and reduced the resulting detections to a top ten. (Sometimes, less is more. )

In fact, these detections could have been consolidated further – for instance, there’s an overlap between Pacex and gamer password stealers – but we think that the table above gives a pretty good impression of the underlying trends, which seems to us more useful than focusing on  individual variants and sub-families.

The top ten trends are shown in table 2 below.

There’s much more information in the forthcoming report (I’ll link it here when it’s available), but here’s a brief summary of what this table tells us about trends over the past year.

  • Gaming password stealers have the largest volume and percentage share over the whole year, even if we don’t include Pacex.gen detections. Gamers are a very popular target.
  • Malware that uses the Windows Autorun facility as an infection vector (a very broad classification label) runs gaming trojans a close second. Autorun would be a good idea in a better world, but in the one we actually live in, it’s better for most people if it’s disabled.
  • While the general classification of adware covers many distinct programs, the continuing presence of Win32/Toolbar.MyWebSearch and the many variants of the Virtumonde Trojan in the top ten give some idea of the size of the problem.
  • The GetCodec downloader and associated threats continue to be a major presence. This testifies to the continued success of social engineering of the “click here and install this program so that you can view this highly desirable content” genus.
  • Data theft through PC compromise is one of the most consistent aims of the malware author, as the Win32/Agent group of Trojans indicates.
  • The continuing presence of advanced detections like INF/Autorun, Win32/Statik and Win32/Genetik in the top ten testify to the continuing need for sophisticated heuristics to flag the presence of new malware that doesn’t resemble known malware closely enough to be identified using an existing family identifier.

Table 1: Top 20 Detections

Malware Detection Name Detections % of total detections
Win32/PSW.OnLineGames.NMY

22990746 

6.69%
INF/Autorun.gen  13827373  4.03%
INF/Autorun  10593305  3.08%
Win32/Toolbar.MyWebSearch  8921028  2.60%
Win32/Pacex.Gen   8620971  2.51%
Win32/PSW.OnLineGames.NMP  6713116  1.95%
WMA/TrojanDownloader.GetCodec.Gen 5685400 1.66%
WMA/TrojanDownloader.Wimad.N   5218889 1.52%
Win32/PSW.OnLineGames.NNU  5096504  1.48%
Win32/Agent   4859566 1.41%
Win32/Adware.Virtumonde   4588952 1.34%
Win32/AutoRun.KS  4087011  1.19%
Win32/Genetik  3828021  1.11%
Win32/Qhost  3717897  1.08%
Win32/Statik   3244414 0.94%
Win32/TrojanDownloader.Murlo.NN   3140400 0.91%
Win32/Agent.AJVG 2900763  0.84%
Win32/HackAV.G  2305628  0.67%
Win32/PSW.OnLineGames.ODJ   2270310  0.66%
Win32/Patched.BU  2254901  0.66%

Table 2: Top Ten Trend Detections

Malware Detection Name Detections % of total detections
Win32/PSW.OnLineGames            37070676 10.78%
INF/Autorun   28507689    8.30% 
WMA/TrojanDownloader.GetCodec.Gen 10904289        3.18% 
Win32/Toolbar.MyWebSearch      8921028  2.60% 
Win32/Pacex.Gen          8620971    2.51%
Win32/Agent     7760329    2.25%
Win32/Adware.Virtumonde 4588952 1.34% 
Win32/Genetik   3828021   1.11% 
Win32/Qhost     3717897   1.08%
Win32/Statik    3244414 0.94%

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Author David Harley, ESET

  • http://www.eset.bg ESET BG

    Great post, thanks for sharing it with us.

    Hope to see more of those on this blog. Also would like to get info from here about the latest news in the industry.

  • http://www.smallblue-greenworld.co.uk David Harley

    Thank you! :)

    There will certainly be more of these. We’ll see what we can do about industry news. Some people get cold shivers if we mention other companies too much, but as researchers, we’re very aware that some of our competitors are also co-members of a community. I might come back to this theme tomorrow. ;-)

  • http://www.eset.ie Urban Schrott

    Hi. Good one! Mind if we re-use?

    Also….have you got this one on your radar?
    http://www.pcadvisor.co.uk/news/index.cfm?newsid=109653

    Regards,
    U.

  • http://www.smallblue-greenworld.co.uk David Harley

    Thanks, Urban!

    You’re very welcome to re-use. :)

    We’re well aware of Waledec. In fact, Pierre-Marc blogged on December (see http://www.eset.com/threat-center/blog/?p=273) about its resemblance to Storm. I’m up to my ears in other stuff today, but we’re probably overdue to revisit Waledec here, in view of the use of inauguration-related social engineering. I’ll try to get back to it soon.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.